Laws Can't Save Banks From DDoS Attacks

A threat information-sharing bill wouldn't do much to help banks defend themselves against distributed denial of services (DDoS) attacks.

Anonymous: 10 Things We Have Learned In 2013

(click image for larger view and for slideshow)

The co-author of the Cyber Intelligence Sharing and Protection Act (CISPA) ought to know better.

Rep. Mike Rogers (R-Mich.), who is also chairman of the House Intelligence Committee, told NBC News on Wednesday that the Operation Ababil bank disruption campaign run by al-Qassam Cyber Fighters could be stopped, if only private businesses had unfettered access to top-flight U.S. government threat intelligence. Currently the federal government is "trying to share cyber threat information with these banks to help them get ahead of these attacks," Rogers said. "Unfortunately, a series of policy and legal barriers is impeding that cooperation, as well as slowing down cooperation within the private sector and making it less effective."

The problem with that reasoning is that the bank disruptions -- often publicized in advance by attackers -- overwhelm targeted networks through sheer quantities of packets. They don't employ attacks of a stealthy or unknown nature that banks might have difficulty spotting if only they had access to better attack data.

Said Rico Valdez, a senior threat researcher at Bit9:
"Threat intelligence ... for more targeted attacks -- where adversaries are trying to penetrate your systems, get in, steal data, intelligence -- can be very, very useful. But in the world of DDoS attacks, there's just not a ton that can be done there."

Valdez continued: "Some intelligence can help you -- it's good to know the attack techniques being used, that might help you put in place better mitigation technologies. But most of the [DDoS] attacks these days are sheer packets-per-second attacks, designed to overwhelm your infrastructure so that you can't service any requests. In that type of scenario, with threat intelligence, it's ... not going to effectively help your mitigations."

A spokeswoman for Rep. Rogers, contacted by phone and email, didn't immediately respond to our requests for comment. But in Rogers' comments to NBC, the Congressman also suggested that banks simply can't blunt the full fury of a nation state's DDoS disruption campaign. "These banks are among the best in the country when it comes to cyber security, but even they are having trouble keeping up with attacks that have the sophistication and the level of resources that a nation-state entity like Iran can devote to them," he said.

In fact, multiple security experts I've spoken with contend that banks are combating the DDoS attacks quite well via layered defenses, DDoS scrubbing services from third-party providers, and dedicated DDoS mitigation defenses running on premises or in the cloud. In some cases, banks can also use content delivery networks that spread instances of their sites across different geographical regions, helping minimize the effects of a DDoS-generated disruption in any one of those areas.

As a result, bank officials say that even in the face of massive DDoS attacks, their websites are for the most part remaining online, or going offline just briefly. Still, during the DDoS disruptions more customers than normal might not be able to reach their websites, perhaps as a side effect of scrubbing or other DDoS defenses that might be temporarily blocking their PC, network segment or geographic region. "Typically what customers see [from DDoS attacks] is slow responses ... especially with these banking sites," said Bit9's Valdez. "So it's not like [attackers] are taking down the servers. The servers are still there, they're running, they're happy. But they're effectively preventing them from responding to legitimate requests, because they're just eating up all their cycles."

That's just a DDoS attack fact of life. "Everyone is vulnerable, to some extent," he said. "The reality is you've got a pipe attached to your system, and there's only so much that can go through that pipe, and when attackers are filling it up with junk, you can't get the rest through." Scrubbing services can route the traffic down an even bigger pipe and let only the good stuff through, but that approach requires large pipes -- typically operated by service providers -- and isn't foolproof.

"There is always the possibility with anything like that, when you're getting into a blocking or scrubbing type of mode for that technology, to occasionally cause disruption to legitimate service," said Chris Novak, managing principal of the RISK Team for Verizon Enterprise Solutions. "However ... talking to entities in financial services and others, we haven't received feedback that it's affected in any meaningful way the organizations we're working with."

That isn't to say that threat intelligence might not help banks defend themselves better against some types of attacks. "In my view it is the peer-to-peer sharing that is most helpful here," said Doug Johnson, VP of risk management policy for the American Bankers Association, an industry trade group, by email. "We on the private side are the recipients of and actively share the threat signatures. Our ability to get the ISPs to act on those signatures by shutting down sites would be enhanced with the greater liability protections within CISPA."

In other words, banks still see room to improve threat mitigation, and some type of cyber-threat intelligence legislation or White House voluntary executive order might help them take the gloves off, at least for some types of attacks. The CISPA legislation that Rep. Rogers co-authored passed in the U.S. House of Representatives last year but then died in the Senate amid strong opposition from privacy rights groups and the Obama Administration. Rogers reintroduced it earlier this year.

But given the technical limits to which DDoS attacks can be mitigated, U.S. banks are arguably defending themselves to the best extent possible, and no Congressionally delivered intelligence would improve on those efforts.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

I didnG«÷t see too many folks howling that the sheer volume of traffic was taking them down (a la the recent open DNS mess), rather it was the SSL terminators that were burdened with handshakes, and the web apps receiving gobs of garbage logins/searches that ruined everyoneG«÷s day. I'm totally open to the idea that I may be wrong, or that my position in the layered architecture prevented me from seeing relevant the border router data, but as a web session intelligence guy, I just haven't seen the clogged pipe assertion supported by the data.

I do disagree with the idea there's not much you can do to thwart a HULK-style DDoS attack. If weG«÷d given banks the generic heads up that they should take steps to detect and temporarily deflect requests from IPs that (1) made 10 or more requests per second (2) changed their UA string in at least 60% of those requests and (3) focused 80% or more of those requests on a single resource, we could have taken a serious bite out of this thing. The "zero day" for HULK was back in March- IG«÷m not saying government is necessarily the right choice for an intel clearinghouse, but if we'd collectively taken steps to inoculate last Spring, things would have turned out differently.